Subdomains hunting

Tips and tricks

• Do not forget to perform recursive DNS enumeration.

Create a list of enumerated subdomains and the associated IP address.

Format: <subdomain><IP>

for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

Create a list of only IP address from a subdomain list

Format: <IP>

for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done

aiodnsbrute

Very fast tool for DNS Enumeration.

GitHub - blark/aiodnsbrute: Python 3.5+ DNS asynchronous brute force utilityGitHub

crt.sh

Search for certificates associated with a domain

crt.sh | Certificate Search

crt.sh

This one liner extract all unique common names from certificates associated to a domain.

curl -s "https://crt.sh/?q=toromont.com&output=json" | jq -r '.[] | "\(.name_value)\n\(.common_name)"' | sort -u 

Amass

Requires a configuration file with API keys. I really love this tool to perform subdomain enumeration.

amass enum -active -nolocaldb -config config.ini -d exemple.com -o exemple.txt

#Brute Forcing
amass enum -active -brute -w /usr/share/wordlists/API_superlist -d [target domain] -dir [directory name]  

# Intel module
amass intel -asn 394161 -whois -d tesla.com

Omnisint

Rapid7's Project Sonar dataset.

Perform amongst others things, subdomain enumeration and reverse DNS lookups.

Crobat is its CLI utility.

Project Crobat · Omnisint

Omnisint

Censys

We can use the command line to perform searches with Censys.

Creation account is needed to get API keys and a Secret.

Export your API key and Secret to your bashsrc.

export CENSYS_API_ID=xxxxxxxx–XXXX-XXXX–XXXX-XXXXXXXXXXXX
export CENSYS_API_SECRET=xxxXXXXXXXXXXXXXXXXXXXXXXXXXX

Extract the IPs addresses only

 censys search hackerone.com | grep "ip" | egrep -v "description" | cut -d ":" -f 2 | tr -d \"\, |